CS255: Introduction to Cryptography
Winter 2011
Assignment #3: Solutions
Answer 1.
(a)
We have
d
eve
≡
e

1
eve
(
mod
φ
(
N
))
, so that
φ
(
N
)
divides
d
eve
·
e
eve

1.
(b)
Pick a random nonzero
g
in
Z
N
. In the unlikely event that
g
≡
0
(
mod
p
)
, then gcd
(
p
,
N
) =
p
,
and we have factored
N
, so assume that this didn’t happen. Let
τ
p
(
g
)
,
τ
q
(
g
)
(which we don’t yet know)
be the largest powers of 2 that divide ord
p
(
g
)
and ord
q
(
g
)
, respectively. Without loss of generality, let
τ
p
(
g
)
≤
τ
q
(
g
)
.
Note that if
g
is not a quadratic residue mod
p
, which happens with probability
1
2
, then
τ
p
(
g
) =
τ
(
p

1
)
, and otherwise
τ
p
(
g
)
< τ
(
p

1
)
. Since
τ
p
(
g
)
and
τ
q
(
g
)
are independent, no matter what
τ
q
(
g
)
is, the probability that
τ
p
(
g
) =
τ
q
(
g
)
is at most
1
2
.
Now compute
x
:
=
g
K
/τ
(
K
)
, then repeatedly square
x
.
We know that
x
τ
q
(
g
)
≡
1
(
mod
N
)
, so
consider the previous term
y
:
=
x
τ
q
(
g
)
/
2
, if there is one.
If
τ
p
(
g
)
< τ
q
(
g
)
, which happens with
probability
1
2
, then
y
≡
1
(
mod
p
)
, but
y
6≡
1
(
mod
q
)
. Note that in this case we are guaranteed to
have a
y
, because
τ
q
(
g
)
> τ
p
(
g
)
≥
1. Then gcd
(
y

1,
N
) =
p
, and we have factored
N
.
Since the above takes roughly cubic time in log
N
, and works with probability
1
2
each time, we will
factor
N
in cubic expected time.
Answer 2.
First, let us define
t
:
=
d
X

/
B
e
as the hint suggests. We start by building a table
T
in
the following way: first, choose a random element
k
, and add
k
to
T
. Repeatedly apply
f
to
k
until
one of the two following things happen: if we reach
k
again before we have applied
f
to
k
exactly
t
times, then delete
k
from
T
. If we have not reached
k
again after applying
f
to
k
exactly
t
times (i.e.
we are in a cycle of length
≤
t
+
1) then add the element we get after applying
f
to
k
exactly
t
times
to the table
t
. Let us call this new element
j
. We then apply
f
to
j
either until we reach
k
again (in
which case we stop) or until we have applied
f
exactly
t
times, at which point we add the resulting
element into the table and continue onward in the same fashion as we have been doing. When we do
reach
k
again, which must happen eventually due to the fact that every element in the group must be a
cycle, we choose some element that we have not come across and repeat the process above as though
the new element were
k
. We can repeat this process until we have gone through all of the elements. Of
course, this algorithm takes quite some time, but since we have no constraints at this time, we are free
to use a sluggish algorithm (and this is why we also don’t bother to mention implementation here—any
implementation that works is fine).
Now we explain how to invert an input
y
∈
X
in time
O
(
t
)
. Our procedure is relatively simple.
First, if
y
is in our table, then we are done, so we clearly do not have to worry about these cases. So
suppose that
y
is not in the table. In this case, we apply
f
to
y
repeatedly until we reach an element
in our table or until we reach
y
again, always keeping track of the previous element. Note that if
y
is in a cycle that does not contain a table entry, then the cycle length must be less than
t